Description

frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password. This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature. This vulnerability is fixed in 0.68.1.

INFO

Published Date :

2026-04-21T20:09:00.893Z

Last Modified :

2026-04-21T20:28:48.579Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40910 vulnerability.

Vendors Products
Fatedier
  • Frp
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40910.

URL Resource
https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact